Installation of Cisco ACS 5.4

I am setting up Cisco ACS 5.4 for my org. The way I put it in place, ACS passes authentication to a RADIUS server. The problem is that it does for the user and the password to enable on each account. Is there a a way to configure ACS to review on-site in its stores of internal identity for the enable password but keep passing on the user part of RADIUS?

Hi Jessica,.

I went through your query and it seems that you would like to authentication of the connection to be checked with another external radius (radius proxy server) server and can be verified with the password to enable configured locally on GBA.

I don't think that if this cannot be done with the Protocol radius with Ganymede, however we can use service attribute and that you can set in the identity > selection if the service corresponds to point of AD database connection or if the matches allow it to point to the internal database based on rules. I've attached a screenshot of the same thing for your reference. The source of identity could be anything configured databases.

~ BR
Jatin kone

* Does the rate of useful messages *.

Tags: Cisco Security

Virtual Machine requirements

The minimum configuration for the virtual machine must be similar to the hardware configuration of the server series CSACS-1120.

Table 6-1 lists the minimum system requirements to install ACS 5.2 on a VMware virtual machine.

Table 6-1. minimum system requirements

Type of requirement	Minimum requirements
CENTRAL PROCESSING UNIT	Intel Core2; 2.13 GHz
Memory	4 GB OF RAM
Hard drives	500 GB of disk storage
NIC	1 GB NETWORK interface
Hypervisor	VMware ESX 3.5 or 4.0

Installation of ACS 5.2 on VMware

http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_vmware.html#wp1057864

Kind regards

Jousset

Cisco ACS 4.2: The most important to back up files?

Dear Sir

Can you tell me what are the most important files to back up in the Cisco ACS directory?

Currently, I am only backup (with Symantec Backup Exec):

C:\Program Files\CiscoSecure ACS v4.2\CSAuth\System backups

* But, I would like to know if my server crash, can I restore the entire configuration with the files listed in the directory below? (Users, groups, groups of devices, AD, mapping, users, groups,...)

* The Cisco ACS there change in the Windows registry?

* Is it necessary to reinstall the Cisco ACS, if I need to put in an emergency on a new server? I guess Yes, because the installation creates services, etc.

I ask this question because it takes time to install the patches...

* Or, can I save all the Cisco ACS directory... On a new server, install the Cisco ACS and restore the backup?

Thank you very much for giving me your experience about it.

Kind regards

You should back up the files that come from ACS backups, i.e.

System configuration > backup GBA, the location that is specified in this section.

And the default location is the one that already save for example "C:\Program Files\CiscoSecure ACS v4.2\CSAuth\System backups"

In case you are required to host ACS on a new server, you would be required to re - install the complete application of the CSA and then simply take the last backup and restore in the newly installed ACS. It will be to restore everything users, group etc. to etc. of the external database mappings.

When you install ACS on a new server, then make sure that if you run them Services ACS with a service account (this is required for the authentication of the window according to your requirement), you would be required to run new services with this account too, and which may require that go you through the following documentation.

http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/Windows/postin.html#wp1041202

Kind regards

Prem

Please rate if this can help!

Version of Cisco ACS 5.1.0.44.3 integrate with active directory server from Microsoft windows 2012?

Version of Cisco ACS 5.1.0.44.3 integrate with active directory Microsoft windows 2012 R2 server?

Unfortunately, it does not support R2 2012

5.1 ACS supports all editions of:

Windows Active Directory (AD) 2000

Windows AD 2003

Windows AD 2003 R2

Windows AD 2008

Source

Windows AD 2012 R2 is supported after ACS 5.5 patch 1 and following.

Source

Please find below the steps to go from 5.1 to 5.5 hotfix 1:

STEP	FILE	COMMAND
Apply the 5.1 patch 6	5-1-0-44 - 6.tar.gpg	ACS patch install repository 5-1-0-44 - 6.tar.gpg ftp_repository_name
Apply 5.3	ACS_5.3.0.40.tar.gz	application upgrade ACS_5.3.0.40.tar.gz ftp_repository_name
Apply the patch 5.3 8	5-3-0-40 - 8.tar.gpg	ACS patch install repository 5-3-0-40 - 8.tar.gpg ftp_repository_name
Apply the sharp Patch	Pointed-PreUpgrade-CSCum04132-5-3-0-40.tar.gpg	ACS patch installs Pointed-PreUpgrade -CSCum04132- 5-3-0 - 40.tar.gpg repository ftp_repository_name
Apply 5.5	ACS_5.5.0.46.tar.gz	application upgrade ACS_5.5.0.46.tar.gz ftp_repository_name
Apply the patch 5.5 1	5-5-0-46 - 1.tar.gpg	ACS patch install repository 5-5-0-46 - 1.tar.gpg ftp_repository_name

Best regards ~ jousset

Problem with certifcate on Cisco ACS

We want to authenticate our internal wireless users using our Cisco ACS running 5.3. GBA questions our Active Directory environment for the user name and password provided. I created a CSR on GBA and it provided to Entrust. They gave me a root certificate, string and server. I've linked the server certificate to the CSR under System Administration > Local Server Certificates > local certificates. I then added the chain and the root certificates to the users of the site and identity stores > autorit├⌐s. When I try to connect to a laptop client he asks a user name and password, but after entering this information, I am presented with the warning on this certificate below. This certificate is to Entrust and I see the certificate root in the root store on the laptop. Any ideas what would cause this. TAC does not seem to have all the answers. They say it's a problem of the client machine.

In case you want to check your configuration settings.

http://www.Cisco.com/en/us/products/ps10315/products_configuration_example09186a0080bd1100.shtml

~ BR
Jatin kone

* Does the rate of useful messages *.

Cisco ACS server

Hello

I currently have a Cisco ACS 3.3 Server. I want to upgrade the server to the latest version and cluster with one another so that we can have a redundant infrastructure because if one fails it also includes...

Can provide you a solution for this?

Thank you

Hello

The latest version is 4.1 ACS. You can upgrade 3.3.3 build 11 directly to 4.1.

Then, you can install an another ACS 4.1 on a different machine and replication configuration between these two. In this way, you will need to make changes to only one that ACS and the secondary will be automatically updated.

Once these two are defined, you can set both of these servers as a server Radius/Ganymede on devices and there will be a redundancy.

Kind regards

Vivek

How can I use Cisco ACS to save Shell commands

Hi guys, pleeeease how can I configure Cisco ACS to do command authorization on my Cisco 3660 router. I get the accounting logs and authentication but no newspaper that show orders issued by users - shell and it's the most important paper that I need. I read materails and download articles on the site of Cisco... but the thing is still does not give me the papers.

I have these lines on my router:

...

AAA authorization config-commands

AAA authorization exec default group Ganymede +.

AAA authorization commands 15 default authenticated if

AAA authorization network default group Ganymede +.

...

It's funny, when I turn on debugging of the authorization of the AAA on the router, it shows me every command being sent by the user on the debug log. But nothing shows under Administration TACAC + on the Cisco Secure ACS. What is responsible for this?

*****************************************************

I installed the trial version of the Cisco ACS 90 days and made all necessary settings and I have to say I like what I see already. I'm opening moves to recommend the product to purchase. Thank you guys, I got about the features of this ACS software through this forum, keep up the good work. I recommend the software for those who need to have adapted to the management reports Security Audit logs.

If I understand what you're asking correctly, the answer is not in the authorization, that it is in accounting. I set up on my routers and send to ACS orders that level 15 privilege users enter on the router.

orders accounting AAA 15 by default start-stop Ganymede group.

Cisco ACS 1113 appliance v4.1 - integration of RSA Securid v6.1

The Windows of Cisco ACS version seems to have the ability of integration with RSA Securid its listed in external databases. It can also support the SDI Protocol if you install the agent on the Windows ACS platform. I need to use a Cisco ACS 1113 but RSA Securid does not appear in the section external databases. This mean that I won't be able to use the SDI Protocol only available RADIUS.

And Yes you are right,

With ACS, we need to configure using RADIUS, on ACS SE it won't work with SDI.

Kind regards

Prem

Problem with Cisco ACS and different areas

Hello

We are conducting currently a problem with Cisco ACS that we put in place, and I'll try to describe:

We have ACS related directory AD areas, where we have 2 domains and appropriate group mappings.

Then we have our Cisco switches with the following configuration,

AAA new-model

AAA-authentication failure message ^ CCCC

Failled to authenticate!

Please IT networks Contact Group for more information.

^ C

AAA authentication login default group Ganymede + local

AAA authorization exec default group Ganymede + local

AAA authorization network default group Ganymede + local

AAA accounting exec default start-stop Ganymede group.

orders accounting AAA 15 by default start-stop Ganymede group.

!

AAA - the id of the joint session

But the problem is that with the users in a domain, we can authenticate, but not the other. Basically, the question is that when we check on the past of authentication, two authentications are passage and the display of 'Authentic OK', but on the side of the switch, there is a power failure.

There may be something wrong with the ACS?

Thank you

Jorge

Try increasing the timeout on IOS device using radius-server timeout 10.

Do we not have journaling enabled on the ACS server remotely?

-Philou

Cisco ACS 5.8 CLI admin account lockout

Hi all

We recently deployed device Cisco ACS 3495 and running on a version 5.8.

Everything seems well while our for the CLI admin account was locked out.

Found a bug in Cisco for the same problem with version 5.5, but no solution yet...

ACS 5.5 CLI Admin account locked and no Log Message

CSCur37203

Someone out there who might have encountered the same issue and can help advise?

Thank you and best regards,

NDA

Hello

Unfortunately, the only solution for this is the DVD of password recovery.

Once fixed, you can increase the car locked out amounted to something greater than the default value of Cisco.

5.4 double certificate option Cisco ACS

Hello Experts

I wonder if anyone knows if I can get two certificates on my Cisco ACS 5.4 server. The documentation says I can have it as long they have different 'from' and 'to' dates with a same name CN. However, this is a production server and wanted to if sure before I make changes. I currently have a certificate installed and everything works well but need to add a second for migration purposes.

Hovsep Armeni
LAN, UK

A certificate can be linked to these two services (HTTP and EAP), however, each service can only be associated with a single certificate. Thus, for example, you cannot have two certificates that are related to the EAP process.

Thank you for evaluating useful messages!

How to restore the password on Cisco ACS 5.4

Hello!

Try to restore the Cisco ACS 5.4 password installed on vmware. Where can I get the password recovery DVDs? There is no software in the list on the site.

TAC may provide to you. You will need to open a folder and the application.

HTH

Cisco ACS SE GANYMEDE + accounting fails

Hello

I'm under Cisco ACS SE 4.1.23.5. My problem is that the ACS don't Jrnl of the remote switches. I have configured the following accounting commands:

AAA accounting exec default start-stop Ganymede group.

orders accounting AAA 0 arrhythmic default group Ganymede +.

orders accounting AAA 15 by default start-stop Ganymede group.

Default connection accounting AAA power Ganymede group.

When I enable aaa accounting debugging, I get the following logs on the switch.

001091: 12 sep 12:06:06.464 TSB: AAA/ACCT: user johndoe, acct type 3 (2684940942): method = Ganymede + (Ganymede +)

001092: 12 sep 12:06:06.665 TSB: TAC +: (2684940942): received the status of response acct = SUCCESS

001093: 12 sep 12:06:11.128 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:

'show running-config '."

001094: 12 sep 12:06:11.128 TSB: AAA/ACCT/CMD: find the "default" list

001095: 12 sep 12:06:11.346 TSB: AAA/ACCT: user johndoe, acct type 3 (1583033889): method = Ganymede + (Ganymede +)

001096: 12 sep 12:06:12.000 TSB: TAC +: (1583033889): received the status of response acct = SUCCESS

001097: 12 sep 12:08:16.303 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:

' configure terminal '."

001098: 12 sep 12:08:16.303 TSB: AAA/ACCT/CMD: find the "default" list

001099: 12 sep 12:08:16.303 TSB: AAA/ACCT: user johndoe, acct type 3 (1098049616): method = Ganymede + (Ganymede +)

001100: 12 sep 12:08:16.504 TSB: TAC +: (1098049616): received the status of response acct = SUCCESS

001101: 12 sep 12:08:29.884 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:

It seems that the switch is well a response but the CSA record. I have updated the ACS for the latest patch (4.1.23.5), which is supposed to resolve this known bug.

Is there something that I am missing?

Thank you.

ESD

And what you get in the newspapers of Ganymede Administration?

Kind regards

Prem

Installation of Cisco ACS 5.4

Similar Questions

Virtual Machine requirements

Version of Cisco ACS 5.1.0.44.3 integrate with active directory Microsoft windows 2012 R2 server?

Maybe you are looking for